Arup hit with $25.6M deepfake video-call fraud in Hong Kong
Deepfake and voice cloning breach Arup's defenses
Arup, the multinational engineering and design firm, fell victim to a $25.6 million fraud in February 2024 after criminals deployed deepfake video, synthetic voice, and social engineering to impersonate the company's senior executives in video calls to Hong Kong-based employees keepnetlabs.com.
The attack targeted employees in Arup's Hong Kong office and relied on a combination of AI-generated video impersonation and voice cloning to create convincing replicas of company leadership. By mimicking the appearance and voice of legitimate executives, the fraudsters overcame normal authentication and verification protocols that would typically flag suspicious transfer requests.
How the attack unfolded
The perpetrators conducted video calls using deepfake technology to visually impersonate Arup's CFO and other senior figures. Simultaneously, they deployed voice synthesis to replicate the executives' vocal patterns and speech cadence—a technique that exploits the human tendency to trust audio-visual confirmation during high-stakes business communications.
The attackers then used social engineering tactics to pressure employees into executing wire transfers under the guise of urgent, confidential business needs. This combination of technical spoofing and psychological manipulation proved effective enough to move $25.6 million out of the firm's accounts before the fraud was detected.
Implications for corporate security
The Arup incident represents one of the largest documented losses from AI-driven identity fraud and demonstrates how deepfake technology has moved from theoretical risk to operational threat in enterprise environments. The attack exploited a critical gap: while corporations invest in network security and access controls, they remain vulnerable at the human authentication layer when employees are confronted with seemingly legitimate visual and audio confirmation from authority figures.
The case underscores the urgency of implementing multi-factor authentication protocols that do not rely solely on video or audio verification, establishing callback verification procedures using independently verified contact numbers, and training employees to recognize the hallmarks of synthetic media—including subtle artifacts in video quality, lip-sync timing, or unusual communication patterns.
No court proceedings, regulatory findings, or penalty details have been publicly confirmed as of June 2026. The incident remains a watershed moment for corporate security teams grappling with the reality that AI-powered identity fraud can now bypass traditional trust signals.
